Chasing Perfection to Find Excellence
Because most information security executives work for companies where security isn’t their product or service, security often is seen as a cost center and not a profit center. That’s not to say these organizations don’t see security as a high priority, especially in the financial services industry (e.g., banking, investment, and insurance) or in healthcare. However, since security doesn’t generally generate profit, it’s typically viewed as a support function that eats away at a company’s bottom line.
Excellence is less a state than an ongoing journey
This applies to other necessary support functions that must minimize their impact on the company’s expense ratio. Early in my engagement as CISO at People’s United Bank, Executive Vice President Hank Mandel told me, “You don’t have to have a great security program, but it must be good enough.” That made me think of the quote from legendary football coach Vince Lombardi, who once said, “Perfection is not attainable, but if we chase perfection, we can catch excellence.” He was absolutely right, but what defines excellence? This launched my quest: I will chase perfection knowing that excellence is in the realm of possibility.
At that time, we were generally more concerned with regulatory compliance and reputation risk than the direct criminal threat. Criminal, hacktivist, and state-sponsored threats were not as prominent, at least in regional and community banks. Data breaches were most often unencrypted lost tapes or other physical loss of media. Being good enough, per Mr. Mandel, or chasing perfection, as I call it, meant ensuring a known consistent state of compliance while taking appropriate and reasonable measures to protect clients. The challenge remains knowing what excellence is before finding out it wasn’t good enough through an unfortunate situation.
I have realized excellence is less a state than an ongoing journey. To be excellent requires a solid security framework, an effective systemic control structure, continuous intelligence flow, monitoring of your environment and adjustments as changes occur. That which is excellent today for one company may not be next month or may never be good enough for another company. While not exhaustive, the following rules will help your program stand up to the test of “excellence” for your organization.
Know your risk: Knowing your risk requires a comprehensive organizational risk assessment that defines your business profile, your digital and information profile, analysis of industry threats, and analysis of external and internal threats to arrive at your individual risk profile. Address your third-party risk–services that are provided by third parties. Generate a risk register that denotes the inherent risks to your organization, the mitigating factors (process, people and existing technology) and then the residual risk. Include potential and impact of risk realization to give a good basis for how much your company should care.
Prioritize risk: Even with full executive support and unlimited funds, everything can’t be done at once. Prioritize what risk you are addressing through a process of determining what residual risk exists and the threat to your company. It is very important to understand this decision is not one the CISO should make. The CISO should advise and provide context, but this is a company risk decision and must be made through the established risk management decision-making process. Because of the potential ramifications, the board should be made aware of the risk register and which risks are being accepted, mediated, eliminated, or transferred. In practical terms, the decision is generally which risks we are going to address first, not which ones we are going to worry about. This prioritization is critical to budgetary and resource requirements. Never make decisions about cyber risk remediation based on available spend, but fiscal constraints will always be a consideration in prioritization. Your program must be informed by the risk tolerance of the organization. Risk tolerance can be expressed in potential dollar loss but may be less tangible in terms of reputational or regulatory impact.
Take action: Once priorities are set and resources are committed, take decisive and bold actions in addressing the risk, whether simple solutions or more complex, multiyear initiatives like data protection and access management programs. Your program must run multiple work streams. To be effective, final results must address process, people, and technology. Technology shouldn’t be selected or implemented until you have a solid process defined. If the process doesn’t work on the “white board,” don’t waste time and money automating it. Then when the solution is set, make sure you have addressed the people issue–skilled people that can maintain and provide continuous improvement.
Monitor changes in threat landscape: It’s vital that once a program reaches “excellence” you monitor for changes that could cause it to not be good enough, including changes in business process, technology, staffing protocol (going to contract or outsource models), vendors, or the criminal, hacktivist or state-sponsored threat. Investment in a good threat intelligence program will pay dividends. Part of being good enough is having systemic controls that are flexible to respond to changes in threats without having to rebuild your security posture.